Getting 'acces denied'

**megha** · 09-15-2012, 03:20 AM

Hi,
I am getting access denied error when i run this code -

PHP Code:


<?php

if($_GET['pass'] != 'password') die('access denied');

error_reporting(E_ALL);

if(!is_dir('thumbs')) mkdir('thumbs') or die('can\'t create thumbs directory');

$file_list = array();



if ($handle = opendir('.')) {

   while (false !== ($file = readdir($handle))) {

      if (strtolower(array_pop(explode('.',$file))) == 'jpg') {

         $file_list[] = $file;

      }

   }

   closedir($handle);

}



$count = 0;

$total = count($file_list);

foreach($file_list as $file) {

   $save_path = getcwd().'/thumbs/';

   $im = imagecreatefromjpeg($file);

   $new_x = imagesx($im) / 10;

   $new_y = imagesy($im) / 10;

   $small = imagecreatetruecolor($new_x,$new_y);

   imagecopyresampled($small,$im,0,0,0,0,$new_x,$new_y,imagesx($im),imagesy($im));

   imagejpeg($small,$save_path.$file,85);

   imagedestroy($im);

   imagedestroy($small);

   usleep(100);

   set_time_limit(90);

   $count++;

   echo "Working on file {$count} / {$total}<br>\n";

   flush();

}

?>

It basically tries to create a thumbnail gallery.Do i need some .jpeg images in the same folder where the php file is located?
Pls help

**djr33** · 09-15-2012, 03:57 AM

PHP Code:


if($_GET['pass'] != 'password') die('access denied');

Looks to me like you didn't have the "password". Either remove this line, or type the URL like this:
your-website.com/somewhere/page.php?pass=password

Whoever created that script used that as a security precaution so no one else could modify the images. But of course if you don't want it, it's not necessary for the rest of the script.

**megha** · 09-20-2012, 11:14 AM

Thanks now it works!!

**keyboard** · 09-20-2012, 11:23 AM

If this thread is finished, please set it to resolved.
You can do this by editing the first post within the thread - Pressing go advanced - Then where it says no prefix, selecting resolved then save.

**traq** · 09-21-2012, 02:03 AM

Originally Posted by djr33

Whoever created that script used that as a security precaution ...

of course, it's not *much* of a security precaution.

if your site doesn't have a user login system (and since you're checking for a password directly in this script, I'm assuming it doesn't), then it will be an easy guess that the password should be in the query string. and "password" (along with "secret", "123456", "qwerty", and "f***") is probably the first password a malicious user will try.

A much, much better solution would be to *remove* this script from your server once you're done using it.
If you need to use it regularly, you should work out a better security measure.

**keyboard** · 09-21-2012, 02:14 AM

Originally Posted by traq

if your site doesn't have a user login system (and since you're checking for a password directly in this script, I'm assuming it doesn't), then it will be an easy guess that the password should be in the query string. and "password" (along with "secret", "123456", "qwerty", and "f***") is probably the first password a malicious user will try.

Who tries f*** as a password?

**traq** · 09-21-2012, 02:57 AM

words of a, shall we say, "uncouth" nature? are common as passwords.
it's pretty easy to remember, after all - often the first utterance after multiple failed login attempts.

**bernie1227** · 09-21-2012, 03:06 AM

According to the password bible, made after the playstation network's password databases were breached, the most common password was:
"Seinfeld"
Followed by:
"Purple"
"Princess"
"Abc123

**djr33** · 09-21-2012, 03:56 AM

of course, it's not *much* of a security precaution.

if your site doesn't have a user login system (and since you're checking for a password directly in this script, I'm assuming it doesn't), then it will be an easy guess that the password should be in the query string. and "password" (along with "secret", "123456", "qwerty", and "f***") is probably the first password a malicious user will try.

A much, much better solution would be to *remove* this script from your server once you're done using it.
If you need to use it regularly, you should work out a better security measure.

This is all true. But... it does provide some security-- if people don't know this page exists, and they don't know to try a password in the address bar... they just won't have access, regardless of how weak the password is. Note that "pass" is also acting as a sort of password-- they'd have to try other combinations like password=password and p=password also, not to mention password=pass, etc.
But, the fatal problem here is that it gives you a hint about what's wrong. This script should show NOTHING if there's an error, or better yet give a (fake) 404.

Regardless, it's not doing much here anyway. Removing it from the server is a good idea. Or you could just add "exit;" to the top of the page-- disable it for everyone, including yourself-- edit it later if you need to use it.